February 23, 2001, 12:15 PM — The number of suspicious probes and scans designed to find vulnerable domain name servers on corporate networks shot up 280% last month and continues to climb, according to IT managers and a new survey conducted by a network security monitoring firm.
A survey released last week by Alameda, Calif.-based Pilot Network Services Inc. found that suspected hackers made as many as 6,000 attempts last month -- compared to approximately 2,200 in December -- to locate vulnerable domain name servers across corporate networks. Pilot collected the information for the survey from its regional network operations centers, which monitor 70,000 corporate networks belonging to Pilot clients worldwide.
The spike in the number of scans came as no surprise to many users and security experts, who said hackers are stepping up their efforts to uncover corporate systems that haven't been fixed for vulnerabilities discovered last month in the Berkeley Internet Name Domain (BIND) server from the Redwood City, Calif.-based Internet Software Consortium.
In fact, many companies don't even know they are being scanned or if their networks have been compromised, security specialists said.
Meanwhile, other experts warned that hackers with track records of developing sophisticated automated hacking tools are already planning to cross-breed Internet worms, such as the recent Ramen worm, with other DNS exploits, thus creating the potential for widespread network problems.
"There are a couple of worms on the horizon that will probably be the next breaking story," said Amit Yoran, CEO of Riptech Inc., a network security firm in Alexandria, Va. "In literally a matter of hours, a very large number of zombie hosts can be created for planned [distributed denial-of-service] attacks, multiple hopping points to cover your tracks and other activities."
IT managers across the nation also are reporting a rise in DNS-related probes, with many attributing the increase to the Jan. 29 public announcement of vulnerabilities in BIND.
Keith Morgan, a network security specialist at Terradon Communications Group LLC, a Nitro, W. Va.-based Internet software developer for Fortune 500 firms, said his company has detected more than 15,000 individual probes for vulnerabilities on its networks since October. But the scans recently shifted from those looking for vulnerable file transfer protocol servers to Port 53, where DNS resolution queries are handled in older versions of BIND.
"Our remote sites and VPN users connecting over both dial-up and broadband technologies are also reporting major increases in scans for DNS servers," said Morgan.